I just changed the password on a school-related web site. After completing the change successfully, the next page showed what the password was changed to. Can I conclude from this that the password is not being stored only as a hash?

This is also worrysome for a different reason: Showing the password on screen makes it vulnerable to shoulder surfing. When the website is school-related, it is to be expected that people use it in a classroom with many other people present who are able to see their screen. This makes this even more negligent.
–
PhilippMar 31 at 13:08

21

Showing it on screen not only raises shoulder surfing concerns, but history concerns as well. If the browser history is not properly managed (read: cleared constantly) then someone could sit down at a PC, search for the password change page in the history folder, and come up with a bunch of passwords in one swing.
–
Jeff MedenMar 31 at 13:11

4

It might never be hashed; it might instead be encrypted/decrypted. Without seeing the server-side code (which could be any level of sophistication), there's no way we can know.
–
user2338816Mar 31 at 18:17

It might be wiser to differentiate between "stored in a way it can be retrieved" (be it plain text or reversible encryption) and "stored in an unretrievable way" (one way hashing).
–
KonerakApr 22 at 9:29

5 Answers
5

The password can be hashed on the server-side only, which implies that the password is sent in plain text to the server and stored in a variable. Then, nothing stops the Web application from displaying the sent password to the user, in the case where the very same script that has received the password is giving you the feedback about the password change.

On the other hand, if a whole other module gives you the password in plain text (perhaps a password recovery function), then you could conclude that it is not hashed.

Edit: To avoid any confusion, in this case "plain text" does not refer to SSL in any way, it simply suggests that the password is not sent pre-hashed to the server.

You cannot conclude that the password was stored in plain text, but please note that being not hashed does not exactly mean that the password is being stored in plain. It's possible that some (reversible) encryption is used, but from a security standpoint it's almost the same as being stored in plain text. If someone gains ilegitimate access to the server's database to obtain the "encrypted" version of the password, they're equally likely to be able to obtain the private keys to decypher it. The only thing you can conclude is that you should never trust an administrator.
–
SimónApr 1 at 6:34

This doesn't include the possibility that it was simply stored in the session from page to page, and that they faked it when they said authoritatively "it was changed to password1". They could have simply assumed "Well, if it wasn't changed successfully it wouldn't have made it to this page, so we can safely say whatever was sent was successfully set."
–
corsiKaApr 2 at 16:46

@corsiKa We could bring up many different cases like what you just described and without seeing the actual code, we can only suppose. The important part is the conclusion.
–
SimonApr 2 at 16:51

You can't conclude the password was stored in plain text if it is redisplayed soon after you changed it. On the other hand if it is displayed after a while (days for instance) it may be a good hint that the password is indeed not hashed (it is stored in plain text or encrypted).

Anyhow, redisplaying a password is clearly not a best practice because it may compromise much more than the web site that is actually being visited.

If there is low max length it indicates that the developer does things because they sound good or because they are done in other places, without questioning whether it's a good idea. It doesn't indicate it's stored in plain text. Many high profile companies do this, including microsoft, blizzard, my bank, etc
–
Andreas BoniniMar 31 at 16:04

3

The most common reason I've seen for a low max length is it's stored in the DB as varchar(15) for example. It's possible it's simply applied for no reason but that's why I said it's an indicator rather than 100% sure.
–
Kevin TMar 31 at 16:08

No it doesn't. The password is probably sent to the page where it's displayed to you and at the same time it's stored. We cant say if it's stored hashed or not but displaying the password to you does not mean it's not hashed. Like the other answers, I do agree that it's a terrible idea to show the password on the next page in plain text. It's bad anyhow to show it. Not the best example but what if you changed your password when you're (in your case) with a student next to you. You tell him to turn around while you type in your password. You say you typed in your password to him, he turns around, the next page is loading and the person can just see your password. My friend was in the same situation and I saw his password.